Administration Guide FortiSASE SIA 21.2.14 - Amazon AWS
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Administration Guide FortiSASE SIA 21.2.14
FORTINET DOCUMENT LIBRARY https://docs.fortinet.com FORTINET VIDEO GUIDE https://video.fortinet.com FORTINET BLOG https://blog.fortinet.com CUSTOMER SERVICE & SUPPORT https://support.fortinet.com FORTINET TRAINING & CERTIFICATION PROGRAM https://www.fortinet.com/support-and-training/training.html NSE INSTITUTE https://training.fortinet.com FORTIGUARD CENTER https://www.fortiguard.com END USER LICENSE AGREEMENT https://www.fortinet.com/doc/legal/EULA.pdf FEEDBACK Email: techdoc@fortinet.com July 08, 2021 FortiSASE SIA 21.2.14 Administration Guide 00-21214-717239-20210708
TABLE OF CONTENTS
Change log 4
Introduction 5
Dashboards 6
Configuration 7
Policies 7
Default policies 7
Adding policies to perform granular firewall actions and inspection 7
Security 9
Web Filter 9
Application Control 12
SSL Inspection 14
File Filter 15
VPN 15
VPN Users 16
Configuring FortiSASE SIA with an LDAP server for remote user authentication 16
Configuring FortiSASE SIA with a RADIUS server for remote user authentication 19
Configuring FortiSASE SIA with Azure Active Directory single sign on 20
Endpoints 21
Profile 21
Monitor 22
Tagging 23
System 28
Certificates 28
HTML Templates 28
Logging 30
Forwarding logs to an external server 31
Limitations 32
Endpoint (FortiClient) 32
FortiClient Cloud 32
Authentication 32
Troubleshooting 33
Appendix - Egress IP addresses 34
FortiSASE SIA 21.2.14 Administration Guide 3
Fortinet Technologies Inc.
Change log
Date Change Description
2021-05-11 Initial release of 21.2.3.
2021-06-08 Updated Endpoint (FortiClient) on page 32.
2021-06-21 Initial release of 21.2.14.
2021-07-08 Updated To configure remote users from the LDAP server: on page 18.
FortiSASE SIA 21.2.14 Administration Guide 4
Fortinet Technologies Inc.Introduction
FortiSASE Secure Internet Access (SIA) is a SaaS-based service that allows clients to securely access the Internet with
the protection from FortiOS. With FortiSASE SIA, you can ensure that remote, off-net endpoints are protected with the
same security policies as when they are on-net, no matter their location. The service is available through a subscription
based on the number of endpoints.
FortiSASE SIA works with various FortiCloud services in the background to deliver a seamless service for securing your
Internet access.
The onboarding process is as follows:
1. The administrator initializes the FortiSASE SIA environment.
2. The administrator configures policies and security components in FortiSASE SIA as desired. See Configuration on
page 7.
3. The administrator emails invitations to end users.
4. Download FortiClient to endpoints and connect to FortiClient Cloud using the code included in the invitation email.
This can be completed by the administrator when preprovisioning endpoints before distributing to end users, or by
the end users themselves.
5. FortiClient connects to FortiClient Cloud to activate its FortiSASE SIA license and provision the FortiSASE SIA
VPN tunnel.
6. End users connect to the FortiSASE SIA tunnel to secure their traffic.
7. FortiSASE SIA applies the appropriate policies to endpoints.
8. The administrator can view logs in FortiSASE SIA and modify the configuration as desired. See Logging on page
30.
For details on the deployment process, see FortiSASE SIA Cloud Deployment.
User provisioning is made simple, whether you are creating local users in bulk, integrating users from your Active
Directory or LDAP server, or integrating with SAML authentication. You can also easily group your users to apply similar
policies.
Once provisioned, clients are connected through an always-up VPN connection to ensure FortiSASE SIA scans traffic to
the Internet. In terms of security, FortiSASE SIA offers antivirus, web filter, intrusion prevention, file filter, data leak
prevention, application control, and SSL inspection to protect clients. Security features are customizable and offer many
familiar settings as you would see on a FortiGate.
FortiSASE SIA 21.2.14 Administration Guide 5
Fortinet Technologies Inc.Dashboards
FortiSASE SIA includes dashboards so you can easily monitor device inventory, security threats, traffic, and network
health. FortiSASE SIA includes the following dashboards:
Dashboard Description
Status Provides an overview of your current FortiSASE SIA environment and endpoint
status.
Asset Map Displays the geographical location of assets, including servers, on a global map.
Also indicates which server has logging enabled.
FortiView Comprehensive monitoring system for your network that integrates real-time and
historical data into a single view. You can use it to log and monitor threats to
networks, filter data on multiple levels, and keep track of administrative activity.
FortiSASE SIA 21.2.14 Administration Guide 6
Fortinet Technologies Inc.Configuration
Policies
You must associate any traffic going through FortiSASE SIA with a policy. Policies control where the traffic goes, how
FortiSASE SIA processes it, and whether or not FortiSASE SIA allows it to pass through.
When a session is initiated through the VPN tunnel, FortiSASE SIA analyzes the connection and performs a policy
match. FortiSASE SIA performs the match from top down and compares the session with the configured policy
parameters. When there is a match and the action is Accept, FortiSASE SIA applies the enabled security components to
the traffic. If the action is Deny, FortiSASE SIA blocks the traffic from proceeding.
Default policies
FortiSASE SIA is configured with the following default policies:
Policy Description
Allow-All Allows traffic for all services for all VPN users. You can edit and delete this policy.
Implicit Deny Denies access to traffic that does not match another configured policy. You
cannot edit or delete this policy.
With only these default policies and no custom configurations, FortiSASE SIA allows traffic to pass through the Allow-All
policy, and applies the enabled security components for scanning and processing.
Adding policies to perform granular firewall actions and inspection
You can add multiple policies to perform granular firewall actions and inspection. In this example, you will configure a
policy to allow a set of remote users to access *.fortinet.com. You will block the same remote users from accessing all
traffic to *.netflix.com.
Policy name Description
RemoteHomeOffice-DenyNetflix Blocks remote employees (members of the Remote-Home-Office VPN user
group) from accessing *.netflix.com.
RemoteHomeOffice- Allows remote employees (members of the Remote-Home-Office VPN user
AllowFortinet group) to access *.fortinet.com.
The following provides instructions for configuring the described policies. You may want to configure similar policies,
modifying settings based on your environment.
FortiSASE SIA 21.2.14 Administration Guide 7
Fortinet Technologies Inc.Configuration
To add policies to perform granular firewall actions and inspection:
1. Go to Configuration > Policies.
2. Create the RemoteHomeOffice-DenyNetflix policy:
a. Click Create.
b. For User, select Specify: Click +, and select the Remote-Home-Office user group from the Select Entries pane.
c. In the Destination field, click +, then do the following:
i. Create the Netflix host:
i. On the Host tab, click Create.
ii. Select IPv4 Host.
iii. In the Name field, enter the desired name.
iv. From the Type dropdown list, select FQDN.
v. In the FQDN field, enter *.netflix.com. When using wildcard FQDNs, FortiSASE SIA caches the FQDN
address's IP addresses based on matching DNS responses.
vi. Click OK.
ii. Select the newly created Netflix host.
d. In the Service field, click +. On the Select Entries pane, select ALL.
e. Leave all other fields at their default values.
f. Click OK.
3. Create the RemoteHomeOffice-AllowFortinet policy:
a. Click Create.
b. For User, select Specify. Click +, and select the Remote-Home-Office user group from the Select Entries pane.
c. In the Destination field, click +, then do the following:
i. Create the Fortinet host:
i. On the Host tab, click Create.
ii. Select IPv4 Host.
iii. In the Name field, enter the desired name.
iv. From the Type dropdown list, select FQDN.
v. In the FQDN field, enter *.fortinet.com. When using wildcard FQDNs, FortiSASE SIA caches the
FQDN address's IP addresses based on matching DNS responses.
vi. Click OK.
ii. Select the newly created Fortinet host.
d. In the Service field, click +. On the Select Entries pane, select ALL.
e. For Action, select Accept.
f. Leave all other fields at their default values.
g. Click OK.
4. In Configuration > Policies, ensure that you order the policies so that RemoteHomeOffice-DenyNetflix policy is
before the RemoteHomeOffice-AllowFortinet policy, and that both those policies are before the Allow-All policy.
When a session is initiated through the VPN tunnel, FortiSASE SIA analyzes the connection and performs a policy
match. FortiSASE SIA performs the match from top down and compares the session with the configured policy
parameters. For example, consider that a user who belongs to the Remote-Home-Office user group attempts to access
www.fortinet.com. FortiSASE SIA attempts to match the RemoteHomeOffice-DenyNetflix, but the traffic is not for
*.netflix.com. Then, FortiSASE SIA attempts to match the next policy, the RemoteHomeOffice-AllowFortinet policy,
which matches. FortiSASE SIA allows the user access to www.fortinet.com.
FortiSASE SIA 21.2.14 Administration Guide 8
Fortinet Technologies Inc.Configuration
You can view data for access attempts on the FortiView Sources dashboard. You can view the application, destination,
and policy information.
Security
You can configure FortiSASE SIA security components settings and view logs for each component in Security.
FortiSASE SIA applies enabled security components to each Allow policy in Policies. You can configure some
exemptions and overrides for some security components.
Web Filter
Web filter restricts or controls user access to web resources. In FortiSASE SIA, there are three main components of Web
Filter:
FortiSASE SIA 21.2.14 Administration Guide 9
Fortinet Technologies Inc.Configuration
Component Description
URL Category Provides categories from the FortiGuard Web Filter service that you can use to
filter web traffic.
URL Filter Uses specific URLs with patterns containing text and regular expressions so
FortiSASE SIA can process the traffic based on the filter action (exempt, block,
allow, monitor) and webpages that match the criteria.
Content Filter Blocks or exempts webpages containing words or patterns that you specify.
Additionally, in HTTPS connections, since the HTTP payload is encrypted, the
default certificate inspection cannot inspect the traffic. To apply content filter on
HTTPS traffic, you must use SSL deep inspection. See Certificate and deep
inspection modes on page 14.
These components interact with each other to provide maximum control over what users on your network can view and
protect your network from many Internet content threats.
FortiSASE SIA applies web filters in the following order:
1. URL Filter
2. URL Category
3. Content Filter
In FortiSASE SIA, there is one global Web Filter configuration that applies to all users.
Restricting web usage using URL categories and URL filter
To restrict web usage using URL categories and URL filter:
1. Go to Configuration > Security.
2. In the Web Filter widget, click Customize.
3. Enable FortiGuard Category Based Filter.
4. By default, FortiSASE SIA allows access to FortiGuard categories when you enable the FortiGuard category-based
filter. To change the category action to Monitor or Block, select the desired category, then select Monitor or Block.
The following provides descriptions of the actions:
Type Description
Allow Passes the traffic to the remaining web filters, antivirus inspection engine, and
DLP inspection engine. If the URL does not appear in the URL list, FortiSASE
SIA allows the traffic.
Monitor Processes the traffic the same way as the Allow action. For the Monitor action,
FortiSASE SIA generates a log message each time it establishes a matching
traffic pattern.
Block Denies or blocks attempts to access any URL that belongs to the category. A
replacement message displays.
5. Under URL Filter, click Create.
FortiSASE SIA 21.2.14 Administration Guide 10
Fortinet Technologies Inc.Configuration
6. Configure the URL filter:
a. In the URL field, enter the desired URL.
b. For Type, select one of the following:
Type Description
Simple Tries to strictly match the full context. For example, if you enter
www.facebook.com in the URL field, it only matches traffic with
www.facebook.com. It will not match facebook.com or
message.facebook.com. When FortiSASE SIA finds a match, it performs
the selected URL action.
Wildcard Tries to match the pattern based on the rules of wildcards. For example, if
you enter *fa* in the URL field, it matches all the content that has fa such as
www.facebook.com, message.facebook.com, fast.com, and so on. When
FortiSASE SIA finds a match, it performs the selected URL action.
RegExp Tries to match the pattern based on the rules of regular expressions. When
FortiSASE SIA finds a match, it performs the selected URL action.
c. For Action, select one of the following:
Type Description
Allow Passes the traffic to the remaining web filters, antivirus inspection engine,
and DLP inspection engine. If the URL does not appear in the URL list,
FortiSASE SIA allows the traffic.
Block Denies or blocks attempts to access any URL that matches the URL
pattern. A replacement message displays.
Exempt Allows the traffic to pass through, bypassing other web filters, antivirus
inspection engine, and DLP inspection engine.
Monitor Processes the traffic the same way as the Allow action. For the Monitor
action, FortiSASE SIA generates a log message each time it establishes a
matching traffic pattern.
d. Configure the status as desired.
7. Click OK.
Restricting web usage using content filter
Restricting web usage using content filter for HTTPS pages requires enabling SSL deep inspection. See Certificate and
deep inspection modes on page 14.
To restrict web usage using content filter:
1. Go to Configuration > Security.
2. In the Web Filter widget, click Customize.
3. Under Content Filter, click Create.
FortiSASE SIA 21.2.14 Administration Guide 11
Fortinet Technologies Inc.Configuration
4. For Pattern Type, select one of the following:
Type Description
Wildcard Blocks or exempts one word or text strings of up to 80 characters. You can
also use wildcard symbols such as ? or * to represent one or more characters.
For example, a wildcard expression forti*.com matches fortinet.com and
fortiguard.com. The * represents any character appearing any number of
times.
RegExp Blocks or exempts patterns of regular expressions that use some of the same
symbols as wildcard expressions, but for different purposes. In regular
expressions, * represents the character before the symbol. For example,
forti*.com matches fortiii.com but not fortinet.com or fortiice.com. In this case,
the symbol * represents i appearing any number of times.
5. In the Pattern field, enter the desired pattern.
6. From the Language dropdown list, select the desired language.
7. For Action, select one of the following:
Type Description
Exempt Allows the traffic to pass through, bypassing other content filters, antivirus
inspection engine, and DLP inspection engine.
Block Denies or blocks attempts to access any URL that matches the URL pattern. A
replacement message displays.
8. Configure the status as desired.
9. Click OK.
Application Control
FortiSASE SIA can recognize network traffic generated by a large number of applications. Application control uses IPS
protocol decoders that can analyze network traffic to detect application traffic, even if the traffic uses non-standard ports
or protocols. Application control supports traffic detection using the HTTP protocol (versions 1.0, 1.1, and 2.0).
In FortiSASE SIA, there is one global Application Control configuration that applies to all users.
To configure application control:
1. Go to Configuration > Security.
2. Enable Application Control.
3. In the Application Control widget, click Customize.
4. The Application Control pane displays the application categories. You can configure one of the following actions for
each category:
Type Description
Allow Passes the traffic to the web filters, antivirus inspection engine, and DLP
inspection engine.
FortiSASE SIA 21.2.14 Administration Guide 12
Fortinet Technologies Inc.Configuration
Type Description
Monitor Processes the traffic the same way as the Allow action. For the Monitor action,
FortiSASE SIA generates a log message each time it establishes a matching
traffic pattern.
Block Denies or blocks attempts to access any application that belongs to the
category. A replacement message displays.
5. In Blocked Applications, you can block individual applications, overriding the action configured for their category.
For example, you can allow the Video/Audio category, and block YouTube. Click +, then select the desired
applications from the Select Entries pane.
6. Click OK.
When the user attempts to access YouTube under these settings, they see the following message in their browser.
FortiSASE SIA 21.2.14 Administration Guide 13
Fortinet Technologies Inc.Configuration
SSL Inspection
Secure sockets layer (SSL) inspection allows FortiSASE SIA to inspect the SSL/TLS layer during certificate inspection
and upper layers during deep inspection. This enables FortiSASE SIA to filter and protect secured traffic that the various
security profiles have processed. SSL inspection not only protects traffic over HTTPS, but also from other commonly
used encrypted protocols such as SMTPS, POP3S, IMAPS, and FTPS. FortiSASE SIA supports two types of SSL
inspection.
Certificate and deep inspection modes
You can configure FortiSASE SIA SSL inspection to use certificate or deep inspection.
Mode Description
Certificate inspection FortiSASE SIA inspects only the header information up to the SSL/TLS layer.
Certificate inspection verifies the identity of web servers by analyzing the
SSL/TLS negotiations by looking at the server certificate and TLS connection
parameters. Therefore web filter can perform FortiGuard category web filtering,
URL filtering, and other filtering that does not require looking at the payload when
certificate inspection is enabled.
Deep inspection FortiSASE SIA decrypts and inspects the content to find threats and block them.
It then re-encrypts the content and sends it to the real recipient. You can configure
exemptions for deep inspection.
While HTTPS offers protection on the Internet by applying SSL encryption to web
traffic, malicious traffic can also use SSL encryption to get around your network's
normal defenses.
For example, you may download a file containing a virus during an e-commerce
session or receive a phishing email containing a seemingly harmless download
that, when launched, creates an encrypted session to a command and control
(C&C) server and downloads malware onto your computer. SSL inspection can
be used to protect the infiltration by scanning for malicious content in your HTTPS
web traffic or identifying phishing content in encrypted mail exchanges. SSL
inspection can also defend against the exfiltration process while an infected host
calls home to a C&C server or leaks company secrets over encrypted sessions.
When you use deep inspection, FortiSASE SIA serves as the intermediary to
connect to the SSL server. It decrypts and inspect the content to find threats and
block them. The recipient is presented with the FortiSASE certificate or a custom
certificate instead of the real server certificate. FortiClient receives the certificate
automatically and endpoint users do not see any certificate browser warnings.
Exempting hosts, URL categories, or service from deep inspection
In some scenarios, you may not want to perform SSL deep inspection and simply choose to trust the connections or the
user initiating the connections. For example, for banking-related traffic, most end users do not want deep inspection
applied out of privacy reasons. Similarly, traffic related to personal health and wellness may contain personal information
that is too sensitive to be scanned. As such, when defining deep inspection, FortiSASE SIA exempts the Finance and
Banking and Health and Wellness categories by default.
FortiSASE SIA 21.2.14 Administration Guide 14
Fortinet Technologies Inc.Configuration
In other cases, a user or user group may need to access websites without deep inspection. Exempting the user prevents
their connections from SSL deep inspection scanning altogether.
To exempt hosts, URL categories, or services from deep inspection:
1. Go to Configuration > Security.
2. In the SSL Inspection widget, click Customize.
3. Enable Deep Inspection.
4. In the Exempt Hosts, URL Categories, and Services fields, click +.
5. In the Select Entries pane, select the desired hosts, URL categories, and services to exempt from deep inspection.
6. Click OK.
Uploading a certificate for deep inspection mode
By default, you can download the certificate authority (CA) certificate of the FortiSASE CA, Fortinet_CA_SSL, who signs
the certificate used in encrypting SSL connections when performing deep inspection. If desired, you can upload a
custom CA certificate and key to perform deep inspection.
To upload a certificate for deep inspection mode:
1. Go to Configuration > Security.
2. In the SSL Inspection widget, click Customize.
3. Enable Deep Inspection.
4. From the CA Certificate dropdown list, select Create.
5. Configure the fields and upload the certificate and key files as needed.
6. Click OK.
File Filter
File Filter allows you to block or monitor specific file types. Inspection is based on file type only, not on file content.
To block traffic by file type:
1. Go to Configuration > Security.
2. In the File Filter widget, click Customize.
3. Click into the Blocked field.
4. In the Select Entries pane, select the desired file types to block.
5. Click OK.
VPN
In VPN, you can control VPN and network access for different users and devices in your network. FortiSASE SIA
authentication controls system access by user group. By assigning individual users to the appropriate user groups, you
FortiSASE SIA 21.2.14 Administration Guide 15
Fortinet Technologies Inc.Configuration
can control each user’s access to network resources. You can define local users and remote users in FortiSASE SIA.
You can also integrate user accounts on remote authentication servers and connect them to FortiSASE SIA.
VPN Users
To create a local VPN user:
1. Go to Configuration > VPN Users.
2. Click Create > User.
3. In the Email field, enter the desired email. FortiSASE SIA will send instructions and an invitation code to this email
address. The user uses this code to connect FortiClient to FortiSASE SIA.
4. If desired, enable and configure the Password field. Users change their password during the activation process.
You may want to configure a password if you anticipate that you will need administrative access to this VPN user
before the activation process.
5. Click OK.
To create a user group:
1. Go to Configuration > VPN Users.
2. Click Create > User Group.
3. In the Members field, click +.
4. In the Select Entries pane, select the desired users to add to this user group.
5. In the Remote Groups field, select Create.
6. From the Remote Server dropdown list, select the desired LDAP, RADIUS, or SAML server.
7. In the Groups field, add the desired groups from the selected server to this user group. Click OK.
8. Click OK.
To import users in bulk using a CSV file:
1. Go to Configuration > VPN Users.
2. Click Import/Export > Import Users.
3. In the Import Users pane, click Browse.
4. Browse to and upload the CSV file that contains the desired email addresses. Click Next.
5. The Import Users pane displays the email addresses that it detected in the CSV file after removing those already
associated with existing VPN users. Review the list of email addresses.
6. Click Import. The imported users display on the VPN Users page.
Configuring FortiSASE SIA with an LDAP server for remote user authentication
Configuring remote users over LDAP allows FortiSASE SIA to easily integrate with a Windows Active Directory (AD)
server or another LDAP server. This example has a Windows domain controller that has users defined in its AD. You
want to allow certain users VPN access over FortiSASE SIA. These users will connect using their Windows domain
credentials.
FortiSASE SIA 21.2.14 Administration Guide 16
Fortinet Technologies Inc.Configuration
The Windows server is protected by a FortiGate that uses a virtual IP address (VIP) to port forward port 10636 to the
Windows server. Communication over this VIP is allowed only for the FortiSASE SIA IP address. The example domain is
KLHOME.local.
Configuring the LDAP server in FortiSASE SIA
To configure the LDAP server in FortiSASE SIA:
1. Go to Configuration > LDAP.
2. Click Create.
3. Configure the following settings:
Field Description
Name Connection name.
Server IP/Name LDAP server IP address or FQDN.
Server Port By default, LDAP uses port 636 and a secure connection. If you are using a
custom port, define it here. In this example, it is 10636.
Common Name Identifier This is the attribute in which your LDAP server identifies the username. In an
AD, this is commonly the common name attribute, which is denoted cn.
Alternatively, you can use sAMAccountName. This is case-sensitive. In other
LDAP servers, it may be the user ID, which is denoted uid.
Distinguished Name Used to look up user account entries on the LDAP server. It reflects the
hierarchy of LDAP database object classes above the CN identifier in which
you are doing the lookup.
If you wanted to recursively look up all objects under the root domain in the
example AD, you would specify dc=KLHOME,dc=local. If you wanted to look
up users under a specific organization unit, you would specify ou=VPN-
Users,dc=KLHOME,dc=local.
Secure Connection Enable to connect to server by LDAPS by default. Using LDAPS is
recommended to ensure an encrypted connection. If disabled, communication
occurs in clear text.
FortiSASE SIA 21.2.14 Administration Guide 17
Fortinet Technologies Inc.Configuration
Field Description
Server Identity Check If enabled, the server certificate must include the server IP address/name
defined in the Server IP/Name field.
Certificate Select the CA certificate for your LDAPS connection. If this certificate is not
signed by a known CA, you must export the certificate from your server and
install this on FortiSASE SIA. To import the certificate, do the following:
1. Click Certificate, then Create.
2. If you have the certificate file, select File.
3. Click Upload. This creates a new remote CA certificate in the FortiSASE
SIA certificate store.
You can also import and view the certificate in System > Certificates.
4. Configure the following Authenticate settings:
Field Description
Bind Type Select one of the following. Regular bind is recommended:
l Simple: bind using simple password authentication using the client name.
The LDAP server only looks up against the distinguished name (DN), but
does not search on the subtree.
l Anonymous: bind using anonymous user and search starting from the
DN and recurse over the subtrees. Many LDAP servers do not allow this.
l Regular: bind using username/password provided and search starting
from the DN and recurse over the subtrees.
Username If using regular bind, enter the username. In the example AD, this may be
KLHOME\administrator or administrator@KLHOME.
Password If using regular bind, enter the password.
5. Click Test connection. If the connection fails, return to the previous steps to reconfigure the LDAP server, or skip the
test. If the connection succeeds, click Next.
6. Review the configuration, then click Submit.
Configuring remote users from the LDAP server
To configure remote users from the LDAP server:
1. Go to Configuration > VPN Users.
2. Click Create > Remote User.
3. From the LDAP Server dropdown list, select the server that you configured. Click Next.
4. FortiSASE SIA displays the available remote users. It displays all users starting from the root of the DN to the
subtrees. Select users as desired. Click Next.
5. Provide the users' email addresses. FortiSASE SIA sends invitation codes and connection instructions to these
email addresses.
6. Click OK.
FortiSASE SIA 21.2.14 Administration Guide 18
Fortinet Technologies Inc.Configuration
Connecting VPN from FortiClient
The end user follows these instructions to connect to the FortiSASE SIA VPN tunnel.
To connect VPN from FortiClient:
1. Follow the instructions from the received email to install the compatible FortiClient version on to your device.
2. Once installed, open FortiClient.
3. On the ZERO TRUST TELEMETRY tab, in the Join FortiClient Cloud field, enter the invitation code from the
received email.
4. FortiClient connects to and becomes provisioned by FortiClient Cloud. On the REMOTE ACCESS tab, connect to
the preconfigured VPN tunnel using your Windows username and password. If the administrator configured the CN
identifier as cn, the username is likely the user's full name. Once connected, the REMOTE ACCESS tab displays
the active VPN connection and additional information.
Configuring FortiSASE SIA with a RADIUS server for remote user authentication
To configure the RADIUS server in FortiSASE SIA:
1. Go to Configuration > RADIUS.
2. Click Create.
3. Configure the following settings:
Field Description
Name Connection name.
Authentication Type If you know the RADIUS server uses a specific authentication protocol, select
Specify and select the desired protocol from the list. Otherwise, select Default.
NAS IP (Optional) Enter the IP address that FortiSASE SIA will use to communicate
with the RADIUS server.
Include All Users Allow all users on the RADIUS server to authenticate with FortiSASE SIA.
4. Configure the following Configure Servers settings. If the primary server does not respond, FortiSASE SIA sends
the access request to the secondary server if configured:
FortiSASE SIA 21.2.14 Administration Guide 19
Fortinet Technologies Inc.Configuration
Field Description
Primary Server
IP/Name Enter the domain name or IP address of the RADIUS server.
Secret Enter the server secret key. This value must match the secret on the RADIUS
primary server.
Secondary Server
IP/Name (Optional) Enter the domain name or IP address of the secondary RADIUS
server.
Secret (Optional) Enter the secondary server secret key. This value must match the
secret on the RADIUS secondary server.
5. Click Test connection. If the connection fails, return to the previous steps to reconfigure the RADIUS server(s), or
skip the test. If the connection succeeds, click Next.
6. Review the configuration, then click Submit.
Configuring FortiSASE SIA with Azure Active Directory single sign on
You can configure a single sign on (SSO) connection with Azure Active Directory (AD) via SAML, where Azure AD is the
identity provider (IdP) and FortiSASE SIA is the service provider (SP). This feature allows end users to connect to VPN
by logging in with their Azure AD credentials.
Configuring FortiSASE SIA with Azure AD SSO
To configure FortiSASE SIA with Azure AD SSO:
1. In FortiSASE SIA, go to Configuration > Single Sign On (SSO). The first step of the SSO configuration wizard
displays the entity ID, SSO URL, and single logout URL. You will use these values to configure FortiSASE SIA as a
service provider (SP) in Azure. Copy these values.
2. Create and configure your FortiSASE SIA environment. in Azure:
a. In the Azure portal, go to Azure Active Directory > Enterprise applications > New application.
b. Search for and select FortiSASE SIA.
c. Click Create.
d. Assign Azure AD users and groups to FortiSASE SIA.
e. Go to Set up single sign on.
f. For the SSO method, select SAML.
g. In Basic Configuration, enter the values that you copied in step 1 in the Identifier (Entity ID), Reply URL, Sign
on URL, and Logout URL fields. Click Save.
3. Obtain the identity provider (IdP) information from Azure:
a. The SAML Signing Certificate box contains links to download the SAML certificate. Download the certificate.
b. The Set up box lists the IdP information that you must provide to FortiSASE
SIA. Copy the values in the Login URL, Azure AD Identifier, and Logout URL fields.
4. Configure the IdP information in FortiSASE SIA:
a. In FortiSASE SIA, click Next in the SSO wizard. In the IdP Entity ID, IdP Single Sign-On URL, IdP Single Log-
Out URL fields, paste the values that you copied from the Azure AD Identifier, Login URL, and Logout URL
FortiSASE SIA 21.2.14 Administration Guide 20
Fortinet Technologies Inc.Configuration
fields, respectively.
b. From the IdP Certificate dropdown list, select Create, then upload the certificate that you downloaded. Click
Next.
5. Review the SAML configuration, then click Submit.
6. Configure the Azure user group in FortiSASE SIA:
a. Go to Configuration > VPN Users.
b. Select Create > User Group.
c. Under Remote Groups, click Create.
d. From the Remote Server dropdown list, select the Azure AD that you configured.
e. If desired, configure an Azure group. In the Groups field, enter the Azure group ID for the desired group. Ensure
that you enter the group ID, and not the group name.
f. Click OK.
g. Configure other fields as desired, then click OK.
Verifying Azure AD SAML SSO configuration
To verify the Azure SAML SSO configuration:
1. In FortiClient on an endpoint, go to the REMOTE ACCESS tab. The tab should display a SAML Login button.
2. Click the SAML Login button.
3. In the dialog, sign in with your Azure AD credentials to connect to VPN.
Endpoints
In Endpoints, you can define the configuration of FortiClient software on endpoints. You can also monitor endpoint
statuses and deregister endpoints.
Profile
The Removable Media Access Control feature does not currently work as expected. Do not
configure this feature.
To configure Profile options:
1. Go to Configuration > Profile.
2. Enable or disable Notify Endpoint of VPN Connectivity Issues. When enabled, a notification displays to the end user
when FortiClient cannot connect to FortiSASE SIA VPN.
3. Enable or disable Auto Connect to FortiSASE SIA. When enabled, FortiClient automatically connects to the
FortiSASE SIA VPN tunnel when the end user logs into the endpoint. The end user must have established
connection to the FortiSASE SIA VPN tunnel at least once before.
4. Enable Trusted Traffic. Traffic configured as trusted traffic is excluded from the FortiSASE SIA VPN tunnel and
redirected to the endpoint physical interface. For example, you may want to add a high bandwidth-consuming
FortiSASE SIA 21.2.14 Administration Guide 21
Fortinet Technologies Inc.Configuration
application, such as Microsoft Teams or Zoom, as trusted traffic. Configure trusted traffic:
a. Click Create.
b. Configure the following fields:
Option Description
Type Select Infrastructure, FQDN, or Local Application.
Match l If you selected Infrastructure, select the desired application from the dropdown list.
l If you selected FQDN, enter the desired FQDN. The FQDN resolved IP address is
dynamically added to the route table when in use, and is removed after disconnection. For
example, if you want to exclude YouTube from the VPN tunnel, you can enter youtube.com.
When endpoint users use any popular browser such as Chrome, Edge, or Firefox to access
youtube.com or *.youtube.com, this traffic does not go through the VPN tunnel.
l If you selected Local Application, specify an application using its process name, full path, or
the directory where it is installed. When entering the directory, you must end the value with
\. You can enter file and directory paths using environment variables, such as
%LOCALAPPDATA%, %programfiles%, and %appdata%. Do not use spaces in the tail or
head, or add double quotes to full paths with spaces. You can add multiple entries by
separating them with a semicolon.
For example, to exclude Microsoft Teams and Firefox from the VPN tunnel, you can enter
any of the following combinations:
l Application Name: teams.exe;firefox.exe
l Full Path:
C:\Users\appData\Local\Microsoft\Teams\current\Teams.exe;C:\Progra
m Files\Mozilla Firefox\firefox.exe
l Directory:
C:\Users\appData\Local\Microsoft\Teams\current\;C:\Program
Files\Mozilla Firefox\
To find a running application's full path, on the Details tab in Task Manager, add the Image
path name column.
c. Click OK.
5. Click OK.
Monitor
The Monitor page displays charts that show endpoint information, including the status and platform. You can also
deregister an endpoint.
To deregister an endpoint:
1. Go to Configuration > Monitor.
2. Select the desired endpoint.
3. Click Deregister. FortiSASE SIA deregisters the endpoint. After the endpoint deregisters, the endpoint user can
reregister the endpoint manually using the invitation code.
FortiSASE SIA 21.2.14 Administration Guide 22
Fortinet Technologies Inc.Configuration
Tagging
You can create tagging rules for Windows, macOS, Linux, iOS, and Android endpoints based on their OS versions,
logged in domains, running processes, and other criteria. FortiSASE SIA uses the rules to dynamically tag endpoints.
The following occurs when using tagging rules with FortiSASE SIA and FortiClient:
1. FortiSASE SIA sends tagging rules to endpoints.
2. FortiClient checks endpoints using the provided rules and sends the results to FortiSASE SIA.
3. FortiSASE SIA receives the results from FortiClient.
4. FortiSASE SIA dynamically tags endpoints using the tag configured for each rule. You can view the dynamically
tagged endpoints in Configuration > Tagging.
See Tagging rule types on page 24 for descriptions of all tagging rule types.
You can use tags to build dynamic policies that do not need to be manually reconfigured whenever endpoints statuses
change. For example, consider that you want to block endpoints that are running Windows 7 and do not have antivirus
(AV) running from accessing the Internet. You would configure the following:
l A rule that applies a "Win7NoAV" tag to endpoints that are running Windows 7 and do not have AV running
l A policy that blocks endpoints with the Win7NoAV tag applied from accessing the Internet.
As FortiSASE SIA receives information from endpoints, it dynamically removes and applies the Win7NoAV tag to
endpoints. For example, if an endpoint that previously had the Win7NoAV tag applied upgraded to Windows 10 and
enabled the FortiClient AV feature, FortiSASE SIA would automatically remove the Win7NoAV tag from the endpoint.
That endpoint would then be able to access the Internet.
The following instructions detail how to configure a dynamic policy that uses tags, using the Win7NoAV example:
To configure a dynamic policy using tags:
1. Configure the tagging rule set:
a. Go to Configuration > Tagging, and click Create.
b. In the Name field, enter the desired rule set name.
c. Toggle Enabled on or off to enable or disable the rule.
d. (Optional) In the Comments field, enter any desired comments.
e. Under When the following rules match, click Create.
f. Configure the AV rule:
i. For OS, select Windows.
ii. From the Rule Type dropdown list, select AntiVirus.
iii. From the AntiVirus dropdown list, select AntiVirus Software is installed and running.
iv. Toggle Negate to On.
v. Click OK.
g. Configure the OS rule:
i. For OS, select Windows.
ii. From the Rule Type dropdown list, select Operating System Version.
iii. From the Operating System Version dropdown list, select Windows 7.
iv. Click OK.
h. In the Tag Name dropdown list, create a tag named "Win7NoAV".
i. Click OK.
FortiSASE SIA 21.2.14 Administration Guide 23
Fortinet Technologies Inc.Configuration
2. Configure the tag as a source in a policy:
a. Go to Configuration > Policies.
b. Click Create.
c. In the Source field, click +. From the Select Entries panel, under EMS Tag, select the Win7NoAV tag.
d. For Destination, select All Internet Traffic.
e. For Action, select Deny.
f. Click OK.
Tagging rule types
The following table describes tagging rule types and the OSes that they are available for. For all rule types, you can
configure multiple conditions using the + button.
Rule type OS Description
AntiVirus l Windows From the AntiVirus dropdown list, select the desired conditions. You can
l macOS require that an endpoint have AV software installed and running and
l Linux that the AV signature is up-to-date. You can also use the Negate option
for the rule to require that the endpoint does not have AV software
installed or running or that the AV signature is not up-to-date. This rule
applies for FortiClient AV.
For Windows endpoints, this rule type also applies for third-party AV
software that registers to the Windows Security Center. The third-party
software notifies the Windows Security Center of the status of its
signatures. FortiClient queries the Windows Security Center to
determine what third party AV software is installed and if the software
reports signatures as up-to-date.
The endpoint must satisfy all configured conditions to satisfy this rule.
Certificate l Windows In the Subject CN and Issuer CN fields, enter the certificate subject and
l macOS issuer. You can also use the Negate option to indicate that the rule
l Linux requires that a certain certificate is not present for the endpoint.
FortiClient checks certificates in the current user personal store and
local computer personal store. It does not check in trusted root or other
stores.
The endpoint must satisfy all conditions to satisfy this rule. For example,
if the rule is configured to require certificate A, certificate B, and not
certificate C, then the endpoint must have both certificates A and B and
not certificate C.
Domain l Windows In the Domain field, enter the domain name. If the rule is configured for
l macOS multiple domains, FortiSASE SIA considers the endpoint as satisfying
the rule if it belongs to one of the configured domains.
EMS Management l Windows FortiSASE SIA considers the endpoint as satisfying the rule if the
l macOS endpoint has FortiClient installed and Telemetry is connected.
l Linux
l iOS
l Android
FortiSASE SIA 21.2.14 Administration Guide 24
Fortinet Technologies Inc.Configuration
Rule type OS Description
File l Windows In the File field, enter the file path. You can also use the Negate option
l macOS to indicate that the rule requires that a certain file is not present on the
l Linux endpoint.
The endpoint must satisfy all configured conditions to satisfy this rule.
For example, if the rule is configured to require file A, file B, and NOT file
C, then the endpoint must have both files A and B and not file C.
IP Range l Windows In the IP Range field, enter the IP address, IP address range, or IP
l macOS address with subnet. If multiple IP ranges and/or addresses are
l Linux configured, FortiSASE SIA considers the endpoint as satisfying the rule
l iOS if its IP address matches one of the configured ranges or addresses.
l Android
Operating System l Windows From the Operating System Version field, select the OS version. If the
Version l macOS rule is configured for multiple OS versions, FortiSASE SIA considers the
l Linux endpoint as satisfying the rule if it has one of the configured OS
l iOS versions installed.
l Android
Registry Key l Windows In the Key field, enter the registry path or value name. End the path with
\ to indicate a registry path, or without \ to indicate a registry value
name. You can also use the Negate option to indicate that the rule
requires that a certain registry path or value name is not present on the
endpoint. This rule does not support using the value data.
For example, the following shows a system where Firefox is installed. In
this example, the registry path is Computer\HKEY_LOCAL_
MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\88.0 (x64
en-US)\Main. The value name is Install Directory, and the
value data is C:\Program Files\Mozilla Firefox. You can
configure a registry key rule to match Computer\HKEY_LOCAL_
MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\88.0 (x64
en-US)\Main as the path or Install Directory as the registry
value name, but you cannot configure a rule to match C:\Program
Files\Mozilla Firefox.
FortiSASE SIA 21.2.14 Administration Guide 25
Fortinet Technologies Inc.Configuration
Rule type OS Description
The endpoint must satisfy all configured conditions to satisfy this rule.
For example, if the rule is configured to require registry key A, registry
key B, and NOT registry key C, then the endpoint must have both
registry keys A and B and not registry key C.
Running Process l Windows In the Process Name field, enter the process name. You can also use
l macOS the Negate option to indicate that the rule requires that a certain
l Linux process is not running on the endpoint.
The endpoint must satisfy all configured conditions to satisfy this rule.
For example, if the rule is configured to require process A, process B,
and NOT process C, then the endpoint must have both processes A and
B running and process C not running.
Sandbox l Windows From the Sandbox Detection dropdown list, select the desired
l macOS condition. You can require that Sandbox detected malware on the
l Linux endpoint in the last seven days. You can also use the Negate option for
the rule to require that Sandbox did not detect malware on the endpoint
in the last seven days.
Severity Level l Windows From the Severity Level dropdown list, select the desired vulnerability
l macOS severity level.
l Linux
User Identity l Windows Under User Identity, select the following:
l macOS l User Specified: endpoint user manually entered their personal
l Linux information in FortiClient.
l iOS l Social Network Login: endpoint user provided their personal
l Android information by logging in to their Google, LinkedIn, or Salesforce
FortiSASE SIA 21.2.14 Administration Guide 26
Fortinet Technologies Inc.Configuration
Rule type OS Description
account in FortiClient. You can further select one of the following:
l All Accounts: all endpoints where the user logged in to the
specified social network account type.
l Specified: enter a specific Google, LinkedIn, or Salesforce
account. For example, you can enter
joanexample@gmail.com to configure the rule to apply
specifically to only that Google account. You can specify
multiple social network accounts.
FortiSASE SIA considers the endpoint as satisfying the rule if it satisfies
one of the conditions.
You can also use the Negate option for the rule to require that the
endpoint user has not manually entered user details or logged in to a
social network account to allow FortiClient to obtain user details.
FortiClient iOS does not support social network login with LinkedIn or
Salesforce. FortiClient Android does not support social network login
with Salesforce.
Windows Security l Windows From the Windows Security dropdown list, select the desired
conditions. You can require that an endpoint have Windows Defender,
Bitlocker Disk Encryption, Exploit Guard, Application Guard, and/or
Windows Firewall enabled. You can also use the Negate option for the
rule to require that the endpoint have Windows Defender, Bitlocker Disk
Encryption, Exploit Guard, Application Guard, and/or Windows firewall
disabled.
The endpoint must satisfy all configured conditions to satisfy this rule.
For some rule types, such as the Running Process rule type, the endpoint must satisfy all
conditions to satisfy the rule. There may be situations where you want FortiSASE SIA to apply
the same tag to endpoints that satisfy different conditions. Consider that you want FortiSASE
SIA to tag endpoints that are running Process A or Process B as "RP". In this case, you can
create two rule sets: one for endpoints running Process A and another rule for endpoints
running Process B, both of which apply the "RP" tag to eligible endpoints.
FortiSASE SIA 21.2.14 Administration Guide 27
Fortinet Technologies Inc.System
Certificates
You can upload a certificate for use with SSL deep inspection, and LDAP and SAML SSO authentication.
To upload a certificate:
1. Go to System > Certificates.
2. Click Import, then select CA Certificate or Remote Certificate.
3. Configure the fields and upload the certificate and key files as needed.
4. Click OK.
HTML Templates
You can customize block pages that display on endpoints in certain situations, such as if FortiSASE SIA has blocked
access based on Application Control settings. For example, you can customize the message to add your company logo
and include your helpdesk phone number so that users can contact the network administration about their machine. You
can also customize the email to send to users to invite them to FortiSASE SIA.
This example modifies the Application Control block page to use the Fortinet logo instead of the FortiSASE SIA logo and
include a phone number.
To customize the Application Control block page:
1. Go to System > HTML Templates.
2. On the Images tab, click Create.
3. In the Name field, enter the desired name. This example uses ftnt.
4. Upload the desired logo.
5. Click OK.
6. On the Templates tab, select Application Control Block Page, then click Edit.
7. To replace the FortiSASE SIA logo, replace %%IMAGE:logo_fortisase_sia&%% with %%IMAGE:%%. In this example, it is replaced with %%IMAGE:ftnt%%.
8. To add a phone number to the message, modify the You
have attempted... element as desired.
9. Click Save. The endpoint user sees this page when they attempt to view an application that FortiSASE SIA
FortiSASE SIA 21.2.14 Administration Guide 28
Fortinet Technologies Inc.System Application Control is blocking access to. FortiSASE SIA 21.2.14 Administration Guide 29 Fortinet Technologies Inc.
Logging
Logging and monitoring are useful components to help you understand what is happening on your network, and to inform
you about network activities, such as a virus detection, visit to an invalid website, intrusion, failed login attempt, and
others.
To find a connected user and drill down on logs:
1. Go to Dashboards > Users & Devices > VPN Monitor.
2. The VPN Monitor displays currently connected VPN users. If desired, apply filters to the list of users displayed. For
example, you can apply the Duration filter to only view users who have been connected for one to two hours:
3. Right-click the user that you want to drill down on. Select one of the following options:
l Show In FortiView: goes to the FortiView VPN dashboard, which displays real-time VPN connection
information for the selected user. To view historical data for the user, select 1 Day or 1 Week from the
dropdown list in the top right corner.
l Show Matching Traffic Logs: displays real-time traffic logs for the selected user. To view historical data for the
FortiSASE SIA 21.2.14 Administration Guide 30
Fortinet Technologies Inc.Logging
user, select the applied Date filter. Apply a new filter for the desired timerange.
Forwarding logs to an external server
You can configure FortiSASE SIA to forward logs to an external server, such as FortiAnalyzer.
To forward logs to an external server:
1. Go to Logging > Log Settings.
2. Enable Log Forwarding.
3. From Remote Server Type, select FortiAnalyzer, Syslog, or Common Event Format (CEF).
4. In the Server Address and Server Port fields, enter the desired address and port for FortiSASE SIA to communicate
with the server.
5. Enable Reliable Connection to use TCP for log forwarding instead of UDP.
6. Click OK.
FortiSASE SIA 21.2.14 Administration Guide 31
Fortinet Technologies Inc.Limitations
For a list of known issues, see the Release Notes.
Endpoint (FortiClient)
l FortiSASE SIA supports FortiClient 6.4.4. Use of other FortiClient versions with FortiSASE SIA is not supported and
may cause behavior differences.
l IPv6 traffic does not go through the FortiSASE SIA tunnel as FortiClient does not support dual stack VPN.
l For an endpoint to be able to connect to FortiSASE SIA via an SSL VPN tunnel, the FortiSASE SIA environment
must have at least one SSL VPN allow policy configured. See Adding policies to perform granular firewall actions
and inspection on page 7.
FortiClient Cloud
l The FortiSASE SIA license includes the FortiClient Cloud instance that licenses and provisions endpoints. You
cannot access the FortiClient Cloud instance to configure it. You must use FortiSASE SIA with the included
FortiClient Cloud instance. You cannot apply a FortiSASE SIA license to an existing FortiClient Cloud instance.
Authentication
l Other methods of user authentication will not work once SAML SSO is enabled.
l Not all options for LDAP server configuration are available on FortiSASE SIA.
FortiSASE SIA 21.2.14 Administration Guide 32
Fortinet Technologies Inc.Troubleshooting FortiSASE SIA supports the FortiGate Support Tool. The FortiGate Support Tool is a Google Chrome extension that can execute background debugs on the FortiSASE SIA GUI to troubleshoot errors. Using the tool, you can create a file to provide to the Fortinet Support for troubleshooting. See Troubleshooting Tip: GUI slowness and errors via FortiGate support tool. FortiSASE SIA 21.2.14 Administration Guide 33 Fortinet Technologies Inc.
Appendix - Egress IP addresses
The following provides a list of egress IP addresses for FortiSASE SIA. You can use this list in access control lists to
allow access to internal applications from FortiSASE SIA only.
No. Subnet
1 66.35.18.0/24
2 66.35.19.0/24
3 66.35.21.0/24
4 65.35.29.0/24
5 206.47.184.0/24
6 66.35.23.0/24
7 149.5.234.0/24
8 154.52.2.0/24
9 154.52.3.0/24
10 154.52.4.0/24
11 154.52.5.0/24
12 154.52.6.0/24
FortiSASE SIA 21.2.14 Administration Guide 34
Fortinet Technologies Inc.www.fortinet.com Copyright© 2021 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.
You can also read
